At the end of each year, I think it’s a good idea to take a look back and see what lessons were learned in order to improve our posture for the upcoming year and challenges.  2022 was a difficult year for many in the Cybersecurity field and the good folks at Security Boulevard have compiled a list of the Top 9 Cybersecurity lessons in 2022 that I highly recommend practitioners and anyone who is interested in the field take a look at Security Boulevard.

Healthcare and financial services are still considerable targets for attackers on the ransomware front.  In some cases the financial incentive is straightforward but the healthcare industry is at risk of losing human life if ransomware hits the wrong system.  In addition, Distributed Denial of Service (DDoS) attacks have been on the rise with the last quarter reporting that the primary targets are the gaming and gambling industries.  The gaming industry has considerable financial incentive for attackers as customers' online wallets are akin to bank accounts.

Third-party or supply chain risks continue to be one of the most significant risks that any organization faces.  It doesn’t matter how good security policies and practices are in one's organization if they just allow anyone to connect.  Some of the most widely known security incidents can be traced back to insecure third party access.

Various frameworks and standards exist and are being worked on by a number of companies, regulators, and governments.  The concern is that those frameworks and standards are not cohesive or designed for adoption of just one that will satisfy the rest.  As a result, organizations face resource burdens to apply best practices and compliance standards that may be mandatory to operate.

As the final point in Security Boulevard’s article highlights, cyber incidents tops the list of business risks.  One of the most important recommendations I can make is that the boards and/or executive leadership of these organizations get competency in managing cyber security risks.  This can be done by either directly training the board through programs such as those offered by the National Association of Corporate Directors (NACD) or getting cyber security professionals with extensive experience onto the board or senior leadership roles in an organization.  Cybersecurity at the end of the day is simply risk management which every organization has to manage if they intend to have any type of longevity.